0

Been dealing with this problem for a while. UFW seems to only block most of the traffic, as responses to get accepted according to the PCAPs I've done. In the example below the traffic is originating from the system and the return is getting flagged as blocked by UFW. The rule I've outlined was an attempt to see if adding a rule matching return traffic would get it to allow it. But it would not

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
32768:60999/tcp            ALLOW IN    10050/tcp

Log file: (ton of entries, but they all look like the below line)

Nov 11 11:20:38 nms kernel: [54047.242636] [UFW BLOCK] IN=enp2s0 SRC=172.20.20.4 DST=10.10.3.2 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=10050 DPT=57084 WINDOW=0 RES=0x00 RST URGP=0

Inside the application (zabbix) it does not flag any of the remote hosts as being unreachable, which confirms the established connections occurring in some of the pcaps I've run.

Below is a capture of a tcp connection that was allowed.

packet capture

I'm at a loss here as to why UFW is sometimes allowing and sometimes blocking this return traffic. I've tried reloading the fw, reseting and reapplying rules, reinstalling ufw package, and restarting the system.

Improve this question

1 Answer 1

Reset to default
0

My guess is that the source port is sometimes within the defined range: 32768:60999/tcp and sometimes not.

So either:

  1. allow the whole range as such: 1024:65535

  2. or try to switch the communication to zabbix active agent where the agent connects to the server first and then only the port 10051 is needed to be allowed on the firewall

Improve this answer

You must log in to answer this question.